Just one more reason not to use myspace
It has been reported publicly that myspace usernames and passwords have been stolen by phishers:
http://www.dslreports.com/shownews/79500
The story of the take-down is here.
http://www.dslreports.com/shownews/79533
Roughly 35,000 myspace usernames and passwords were captured by the bad guys. The reference to 700,000 in the first dslreports link is not accurate, because it did not take into account some massive duplication of data.
I am a member of a security list wherein this problem was reported, and I saw some of the data that the phishers were gathering before the site hosting the stolen information was taken down. One thing that worries me is the easily guessed passwords that were being used by some of the victims. A distinct lack of inspiration when inventing a password was evident on the part of some myspace users.
Roger A. Grimes has blogged about the stolen passwords on infoworld - interesting data crunching:
http://weblog.infoworld.com/securityadviser/archives/2006/11/myspace_passwor.html
I personally recommend that users choose passphrases, not passwords - at least three words, with capitalisation and punctuation included - phrases such as "abc123", "qwerty", "password" and other inane examples should be strictly forbidden. Passwords should also not contain a your name, or the name of the site you are logging in to, your address or date of birth, names of family members or anything else that somebody who knows you (or could find out about you) could guess. Oh, and forget about things like "passw0rd". Swapping a letter for a number is not going to protect you. Leetspeak may make you look hip 'n' cool, but it is not a security feature.
As noted in the second article, iPowerWeb were distinctly unhelpful in getting this problem resolved, taking six hours to take down the site - it makes me wonder what sort of legal liability could be laid on hosts such as iPowerWeb when they are alerted to a major phishing incident, are warned that they are hosting stolen data (or are warned that sites they host have been hacked and are infecting visitors), yet fail to mitigate the situation. It is true that in the case of this particular iPowerWeb incident the data files containing the stolen information were deleted (we don't know by whom) before the compromised Web site that was used to store the stolen usernames and passwords was eventually taken down, but we have no way of knowing if the bad guys had the opportunity to retrieve any or all of the the information they had stolen.
Earlier articles about myspace problems include the following. I have long since taken the step of blocking access to myspace on all networks for which I have responsibility - both home and corporate networks.
Fake login pages (28 October 2006):
http://msmvps.com/blogs/spywaresucks/archive/2006/10/28/216648.aspx
Unencrypted logins (8 August 2006):
http://msmvps.com/blogs/spywaresucks/archive/2006/08/08/107051.aspx
One million visitors infected via WMF exploit (21 July 2006):
http://msmvps.com/blogs/spywaresucks/archive/2006/07/21/105450.aspx
Worm spreading through myspace:
http://msmvps.com/blogs/spywaresucks/archive/2006/07/18/105039.aspx linking to http://www.itnews.com.au/newsstory.aspx?CIaNID=34955